[isalist] Re: wpad.dat DNS entry
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Sat, 2 Sep 2006 09:17:54 -0500
Didn't ANYONE read the link I sent???
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
Sent: Saturday, September 02, 2006 2:20 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS entry
I want to make sure about mixed configuration amount RR feature,
ISA EE array and also NLB when enable client-side carp
through WPAD.
Case 1): ISA EE Array without NLB
per Jim's saying, RR shall be disabled since it
conflicts with client-side carp.
Case 2): ISA EE Array with NLB
a) RR eabled
- DNS holds A record to both of array's VIP and
DIP
This is not a good configuration I suppose oer
case 1)
b) RR disabled
- DNS holds A record to both of array's VIP and
DIP
I am not sure how client-side carp handle it.
- DNS holds A record to array's VIP only
I am not sure either!
With regards,
Roy Tsao
----- Original Message -----
From: Periyasamy, Raj
<mailto:Raj.Periyasamy@xxxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Saturday, September 02, 2006 4:45 AM
Subject: [isalist] Re: wpad.dat DNS entry
Are we talking abour RR or NLB? Because if you use NLB
with ISA EE, you dont need RR.
HTH.
Regards,
Raj Periyasamy
MCSE(Messaging), CCNA
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
Sent: Friday, September 01, 2006 12:00 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS entry
Hi Periyasamy,
How are you sure array's FQDN is never resolved to VIP
by RRed DNS?
Roy
----- Original Message -----
From: Periyasamy, Raj
<mailto:Raj.Periyasamy@xxxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Friday, September 01, 2006 11:38 PM
Subject: [isalist] Re: wpad.dat DNS entry
You still need to keep the physical names of
both array members in the DNS. WPAD will issue a script to the client,
that will point to both the ISA servers by the physical name, not
virtual name of NLB. When you do NETSTAT you will see that your client
is actually talking to the physical names of the ISA and not the virtual
name.
HTH.
Regards,
Raj Periyasamy
MCSE(Messaging), CCNA
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
Sent: Friday, September 01, 2006 11:27 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS entry
Jim,
I am thinking about one more RR related scenario
under ISA EE (not SE), say after enable
NLB at internal interface of ISA EE array, what
shall be the correct setting
at DNS when a record is set array's FQDN ->
array's VIP
1) keep a record of each array's memember at
DNS
2) or those must be deleted
How is client-side CARP in 1) and 2)?
----- Original Message -----
From: Roy Tsao
<mailto:caohuiming@xxxxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Friday, September 01, 2006 11:08
PM
Subject: [isalist] Re: wpad.dat DNS
entry
Jim,
You are pointing out sort of worse issue
in so called double loading shareing using RR and
client-side CARP under ISA EE array,
that's true!
However in the scenario I showed, RR is
used for load-sharing among ISA SE...
Dan,
I remembered you ever mentioned Raiwall
was used in your network for NLB under ISA SE,
that's the another reason I propose RR
for ISA SE.
----- Original Message -----
From: Jim Harrison
<mailto:Jim@xxxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx ;
isalist@xxxxxxxxxxxxx
Sent: Friday, September 01, 2006 9:39 PM
Subject: [isalist] Re: wpad.dat DNS
entry
If these servers operate in an array,
using RR can actually decrease your load-sharing across the array.
Since we're talking about WPAD here, you
*must* bear in mind that the script obtained from the ISA contains a
list of servers by name or IP, depending on your configuration.
If you try to round-robin or (worse
yet), NLB these IPs, client-side CARP will fight with the LB mechanism.
BTW, there's nothing wrong with multiple
internal subnets.
In fact, it can help you control
segmentation better, because no DG == no non-local subnet & blackhole
routers == no non-local subnet.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on
behalf of Ball, Dan
Sent: Fri 9/1/2006 4:20 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS
entry
Okay, my bad, someday I'll get those
terms right... What you say makes sense, it's definitely an option...
I'm just hoping our WAN fiber goes into
place soon, then I won't have to worry about multiple internal sub-nets
anymore...
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
Sent: Thursday, August 31, 2006 2:25 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS
entry
Hi Dan,
I said "Except SNAT".
Moreover, unless special client required
as SNAT like published server, FWC plus WPC shall be deployed to most of
clients under ISA Firewall environment,
we can maximize the benefit provided by ISA, right?
So even if there is gateway at client
side, most of them shall go through FWC or WPC connection.
Again, I try to say the positive point
of DNS round robin feature, that's it.
HTH,
Roy
----- Original Message -----
From: Thomas W Shinder
<mailto:tshinder@xxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Friday, September 01, 2006 1:37 AM
Subject: [isalist] Re: wpad.dat DNS
entry
I've done it in many deployments, and
IIRC, that's how they do it at MS.
Thomas W Shinder, M.D.
Site: www.isaserver.org
<http://www.isaserver.org/>
Blog:
http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
Sent: Thursday, August 31, 2006 12:26 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS
entry
We had briefly touched upon this topic
about a year or so ago, but I wasn't aware that it was an actual common
practice...
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Thursday, August 31, 2006 12:18 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS
entry
Hi Dan,
In most secure environments you don't
give the clients a default gateway and use the Firewall and Web proxy
client configurations to enfroce security. So, this might work fine
using RR DNS.
Thomas W Shinder, M.D.
Site: www.isaserver.org
<http://www.isaserver.org/>
Blog:
http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
Sent: Thursday, August 31, 2006 11:02 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS
entry
I'd have to say no...
- External sites are resolved
by DNS server.
- Resolved sites are referenced
then by IP address.
- Since an external site is
resolved to an IP that is not a "local" address, it resorts to using the
default gateway to connect.
- Default gateways are entered
by IP, not hostname, nullifying the round-robin DNS abilities.
The exception to this might be if you
use the FWC, then you might be able to redirect all connections via DNS
entries. You might be able to share the proxy address too, but that
default gateway is a kicker...
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
Sent: Thursday, August 31, 2006 10:00 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS
entry
Hm...
You have two ISA SE, let say its
internal interface IP address is 192.168.0.1/24 and 192.168.0.2/24.
You creat two a record in DNS,
isa.dan.local -> 192.168.0.1 and isa.dan.local -> 192.168.0.2
Then by DNS round robin, your internal
client (except SNAT) would enjoy the connection to either
of the ISA SE server for ounbound
connection, make sense?
----- Original Message -----
From: Ball, Dan
<mailto:DBall@xxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Thursday, August 31, 2006 9:01 PM
Subject: [isalist] Re: wpad.dat DNS
entry
I think that would only work on inbound
connections. You can't define round-robin DNS entries for someone
else's server!
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
Sent: Thursday, August 31, 2006 8:42 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS
entry
Surely about outbound connection!
----- Original Message -----
From: Ball, Dan
<mailto:DBall@xxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Thursday, August 31, 2006 8:34 PM
Subject: [isalist] Re: wpad.dat DNS
entry
You referring to incoming or outgoing
connections?
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
Sent: Thursday, August 31, 2006 8:28 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS
entry
Dan,
Suppose you have two external line
provided by different ISP, normally two ISA EE is needed
but by using DNS round robin, you can
deploy two ISA SE for load balancing..., that's my
point.
HTH,
Roy
----- Original Message -----
From: Ball, Dan
<mailto:DBall@xxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Thursday, August 31, 2006 8:19 PM
Subject: [isalist] Re: wpad.dat DNS
entry
No, you would still have that "one
default gateway" problem... Besides, that feature is only for DNS
entries that "you" control, not external.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
Sent: Thursday, August 31, 2006 4:36 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS
entry
Dan,
Your problem is due to DNS round robin
feature, and it shall be solved by Stefaan's great
guidance.
On the other hand, don't you think we
can utilize such round rodin as a good feature to
implement NLB to balance connection to
multi external interface by using ISA STD version
only?
HTH,
Roy Tsao
----- Original Message -----
From: Stefaan Pouseele
<mailto:stefaan.pouseele@xxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Thursday, August 31, 2006 4:08 PM
Subject: [isalist] Re: wpad.dat DNS
entry
you might check out
http://support.microsoft.com/?kbid=842197.
HTH,
Stefaan
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
Sent: donderdag 31 augustus 2006 3:28
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS
entry
Good article, it sounds very similar to
my scenario. I already had the "enable netmask ordering" option
enabled, so that is not the problem. Do you think it might be because
each of the 10.6.x.x subnets have a mask of 255.255.255.0?
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele
Sent: Wednesday, August 30, 2006 3:57 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS
entry
Hi Dan,
check out my blog
http://blogs.isaserver.org/pouseele/2006/06/30/multi-networking-wpad-sup
port-in-isa-2004/.
HTH,
Stefaan
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
Sent: woensdag 30 augustus 2006 21:47
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] wpad.dat DNS entry
I'm having a serious problem here with
the wpad name resolution. I moved it from being sent out via DHCP to
DNS per Jim's recommendation, which seems to have speeded up some
things, but is now unreliable and causing problems.
The problem appears to be the multiple
internal subnets... Here is a diagram of how it is laid out:
Internet
|
ISA Server --- Internal Network 1
(10.20.1.1)
|
Internal Network 2 (10.6.254.90)----
10.6.8.x Subnet
|-- 10.6.9.x Subnet
|-- 10.6.10.x Subnet
|-- 10.6.12.x Subnet
|-- 10.6.14.x Subnet
|-- 10.6.15.x Subnet
I entered two Host (A) records for wpad,
one for 10.20.1.1, and another for 10.6.254.90.
Frequently I run across computers on the
10.6.x.x subnet where the FWC cannot automatically detect the ISA
server, so I ping wpad and it resolves to the 10.20.1.1 address instead
of the 10.6.254.90 address that it is supposed to get. I try repairs
and such, it keeps resolving to the wrong one. When I reboot the
computer, it resolves to the correct IP and works properly. I reboot
the computer several times, and it gets the correct address. But, I'll
hear of another computer having problems, and I'll check and it is the
same problem. This is not going to be pretty over the next few days as
teacher come back to work after summer vacation.
What is the best way to resolve this?
Change it back to DHCP, customize host files, etc?
All mail to and from this domain is
GFI-scanned.
- Follow-Ups:
- [isalist] Re: wpad.dat DNS entry
- From: Roy Tsao
Other related posts:
- » [isalist] wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- [isalist] Re: wpad.dat DNS entry
- From: Roy Tsao